Perspective: False promises about ending spam

When it comes to combating the spam pandemic, there's the appearance and there's the reality.

As far as appearances go, things are looking up. Congress finally passed a real antispam law: the Can-Spam Act, which took effect Jan. 1.

Microsoft, Yahoo, America Online and EarthLink now have a powerful legal weapon they can use to bring spammers to heel. And it's not just the Internet service providers. Earlier this week, Ohio's legislature got into the act when it passed a bill to let the state put out-of-state spammers on trials.

I'd like to believe the technology industry is smart enough to figure out a solution. That assumes rival companies can check their egos sufficiently in order to play nice with each other.

Great. I say send all the bums to Siberia and force-feed them castor oil twice a day, if that's what it takes. But get-tough measures alone won't suffice--and this is where the debate about what to do needs to shift focus.

For too long, the question of how to fight spam--with technology or with laws, that is--has been viewed in either/or terms. Technologists are comfortable with technology and look down their noses at government-imposed solutions. The politicians usually don't have a clue what the technologists are talking about. And so you have all the makings of a dialogue of the deaf.

But there are signs that the thinking is starting to evolve.

I recently attended a colloquium where a clutch of technology executives debated what to do. But even these experts acknowledged that there was no such thing as a magic bullet to stop spam. Instead, they expressed palpable unease at how spam has turned e-mail into a medium of maybes--the result being that Internet communications have lost the vital attribute of reliability.

Their one uniform point of agreement was that spam in all its derivations constitutes a mortal threat to the vitality of the Internet as a vehicle for communication and commerce.

How bad? Sink your teeth into these stats (courtesy of Symantec CEO John Thompson): There are 100 new viruses and 50 new vulnerabilities detected each week. And the fastest-growing nonviolent crime of them all is phishing. At one time, spam may have been a problem of minor annoyance, but phishing has turned it into a problem of fear--so much so that the average ISP is now spending significant amounts of money on e-mail hygiene. If this keeps up, you can kiss the future of low-cost (or free Web) e-mail goodbye.

I'd like to believe the technology industry is smart enough to figure out a solution. That assumes rival companies can check their egos sufficiently in order to play nice with each other. That's easier said than done. When it comes to deciding how best to provide e-mail authentication, for example, you have Microsoft pushing its own "Sender ID," while the other big guys treat anything emanating from Redmond as if it were radioactive.

And then there's Yahoo and Cisco each coming up with rival e-mail systems that use digital signatures to verify the sender's authenticity. For what it's worth, a Cisco exec attending the meeting said the companies are talking with each other. I'm not holding my breath, but hey, hope springs eternal.

Get-tough measures alone won't suffice--and this is where the debate about what to do needs to shift focus.

The politicians view this as a political issue, and so their reflex reaction is to enact legislation. But spam is a global problem, and enacting new laws in the U.S.A. won't do much to impress a phishing ring in Moscow.

What's the next move? I think Thompson nailed it when he said the key to making serious inroads is to change people's online behavior. He recalled that the government's Smokey the Bear campaign--as corny as it was--was a huge success in curbing the outbreak of man-made forest fires.

This would be more than a lame update of Nancy Reagan's "Just Say No" antidrug mantra. The idea here is to put responsibility on the shoulders of Internet users and compel them to pay more attention to spam prevention. Fact is that when it comes to spam, it's not just good guys versus bad guys anymore. It's also what to do about the lazy guys--the careless Web surfers. They are the ones who are getting in trouble.

Face it--people still do dumb things when they get online. Many people don't pay attention to how they share information over the Internet and to what they download. If you can raise awareness and influence behavior patterns, that may not eradicate spam. But it would go a long way toward drying up the swamp.

Biography
Charles Cooper is CNET News.com's executive editor of commentary.

More Perspectives

[hadaso]

No single measure can prevent spam

The common thing to all the different technological and legal ways that are widely discussed as ways to fight soam, is that no single one of them can prevent it. If one measure is adopted globally, spammers can find a way to avoid it. "Identification" schemes like SenderID and SPF can be easily bypassed as spammers already have, simply by not hiding the sender's true domain. Instead the domain owner's identity is diguised. Laws can be bypassed by not only operating "off-shore", but also distributing parts of operations across several jurisdictions in ways that make enforcement to complicated even when there is international cooperation.

But even so, right now, without any changes to the email infrastructure or to laws, people that really want to avoid spam can avoid it almost completely. But to achieve this a person has to be much more "aware" of possibilities, as the article suggests.

The main reason spam is possible is that email addresses are used by people as if they are phone numbers. They are not! Phone numbers are scarce. But there is an endless supply of email addresses. So people can have many more than one, and use tools to control whose mail can be received on what address. Spammers cannot operate in this kind of environment. They need mailboxes that are accepting everything and make people go over all their mail manually to classify it. That's their business model. That's why they can expect people to actually look at what they send. It doesn't have to be that way. But a person has to become aware of possibilities and find out where the service that would enable one to have multiple addresses exists. ISPs have absolutely no interest in providing these services. ISPs give people email addresses to make it hard for them to change provider. It is very easy to change a connectivity provider. But is you used the email address provided by the ISP then the ISP became part of your identity. Then to change ISP you need to change identity. And this is not easy: you need to tell everyone who knows your old identity about youre new isdentity. Most people don't have a list of all people who have their old identity. So they're locked in.

Now to laws: most laws that try to treat spam try to make definitions that capture specific activities and call them spam. That is wrong. The real nature of the problem is not that it's unsolicited or commercial. the real problem is the it's "bulk", and there are many other problems whose real nature is really just their being "bulk". For instance, P2P file sharing: the real problem for copyright owners is not the P2P nature of their system, but rather the "bulk" nature: people could copy things before the internet era. What has changed is just the amount of data that is accessible. So what the legal system should be concerned with is not the specifics of the problem, but the magnitude: when A sends spam to B, B might be annoyed. When A sends spam to a million B's, perhaps only half a million of them get annoyed. But that much more than one. When A sends spam to B, the spam A sent may just be the last message that B's mailbox accepts before the storage quota is full. But when A sends spam to a million B's, perhaps 10000 of them would stop receiving any other mail sent to them because A used up their quotas. Thsi is something forseeable, and A should be made accountable for the damage. But the leagl system should probably adopt new doctrines to make A responsible for the outcome of A's actions that are forseeable only using analysis of probabilties. Can the legal system handle this? A sends a million emails to a million B's. The chance that any single B would be damaged as a consequence of this single message received is negligible. But that thousands of recipints would be damaged by A's actions is not negligible - it's a certainty. It's forseeable with certainty much higher than the certainty courts require of themselves when sentecing a person to death. Still I'm quite sure courts are crippled when they come to deal with this kind of certainty, since the legal system was designed to deal with single cases one by one. However technology enabled vilains to commit millions of "negligible" damages by pushing one button. The legal system should adopt to be able to treat this. Single laws would not suffice. There is a need for a legal theory to deal with these issues.

A simple fix (and a little "told you so")

I have to say that calling CAN-SPAM a "powerful legal
weapon" rubs me the wrong way. Like many anti-spam
activists, I predicted what would happen when it passed:
Spam would skyrocket into the nightmare assault we all
know today. And that's exactly what happened. Direct
Marketing Association lobbyists played a major role in
crafting this disastrous, fatally flawed legislation... with its
worse-than-useless "opt-out" mandate. By forcing users to
opt-out of lists they don't opt-in to, CAN-SPAM only
succeeded in legalizing instead of banning spam.

Now we're stuck with it.

But spam would still go away tomorrow if no one - not one
single person - bought anything spammers are peddling.
Phishing would disappear if people simply paid attention
when somebody asks for personal financial info.

While I welcome the fact that big corporations are finally
waking up - now that their profits and trust are threatened
- I hope the media spends a lot more time educating users
(and technically challenged legislators). And I hope users
who hate spam will educate family, friends, and colleagues.
I hope people who buy stuff from spammers will be seen as
the social pariahs they are. You know, like cigarette
smokers or telemarketers.

[Dachi]

Well said.

I like this part:

"with its worse-than-useless "opt-out" mandate. By forcing users to opt-out of lists they don't opt-in to, CAN-SPAM only succeeded in legalizing instead of banning spam."

But also, say I want to protect my grandmother from attack, can you point me t oa free secure "sandboxed" email client I can install on her machine?

One where I can simply tick one option and it will block all potentually dangerous email extentions?

What about an antivirus program that is more focused on educating people than scaring them?

What about a system works type application that gives users GUI checkbox access walking them through a wizard that secures their PC and educates them? (I have seen a tool for Linux that does exactly this but the name aludes me, I want to say bastion linux but my first google matches disagree)

There are technical solutions to the peoplem, it is just hard to see what they are without money on the other side.

[wbenton]

You've solved the problem with the problem!

You said:

>>>If this keeps up, you can kiss the future of low-cost (or free Web) e-mail goodbye.<<<

The reason for so much spam is the simplicity of easily creating a new "FREE" web e-mail and thus the bye-bye saga shouldn't be one of sorry, but one of happiness.

Nothing is free in this world today except e-mail addresses. And thus the cause of SPAM. Remove this freedom and this proportionately removes the amount of SPAM.

Sincerely,

[ttul]

Excellent observations

But I would go one further. Spam is just another word for "terminal illness of society at large." There wll always be idiots on the Internet. And it will never be economically more viable to stop the spammers than it is to just erect walled communities -- this is what our free market economy has done for crime in our neighbourhoods. It's the tragedy of the commons, folks. Build a wall. That's as good as it will get.

Of course, building a wall won't solve the problem. It just causes spammers to pile dirt so that they can pour their #$@% in over top of the wall. Then you build a higher wall. They climb it. So you put up razor wire. Etc..

[Dachi]

There is big money in keeping people in the dark

We don't want to tell people to remap .scr, .vbs, and .com files etc. to notepad. We don't want to give them more secure email clients. We don't want them to understand phishing and know how to avoid it.

If you want protection people having your computer, buy a firewall.

If you want protection from viruses, buy norton.

If you want the phisherman to stay at bay, I have a tool that will detect it for &30 we tell them.

The security companies make money using scare tactics to get people to buy their products.

"firewall has blocked a hack attempt of the Sub Seven trojan from accessing your computer, the full version will look up the IP of the attacker"

No, firewall detected a SYN packet sent to a port that was closed anyway, but do we tell the end user that? hell no.

[dcmorton]

The Big Boys and Spam

In all the discussion concerning the curbing of spam, we seem to forget that many very large corporations view it as a marketing tool. And use it prodigiously! I haven't heard a word out of them about ceasing and desisting, so to speak. As long as the recipients eyeballs are engaged and he buys something, spam will be with us. Sad, but true. Laws be damned!

[yakhunter]

Two Words: Cloudmark SafetyBar

Their spam-fighting concept is simple and effective.

The Usual Approach: Brute Force
-- Jump through hoops trying to figure out if a message is spam or not
-- Use Bayesian searches and Blacklists and IP address scanning and on and on and on
-- Leads to a natural escalation of efforts to block spam vs. spammers doing their tricks to get around the blockers
-- Cat and mouse game
-- There are always false positives - legit messages that get blocked

The Cloudmark Approach: Good Old-Fashioned Word of Mouth
-- "Hey, buddy. This message is spam. Pass it on."
-- If you're a trusted member of the community, your "tagging" a message as spam carries more weight.
-- Spammers need a lot of "friends" privy to their scam to circumvent it - not likely.
-- Good triumphs over evil

** I don't work for the company, nor do I have any relationship to them. I just think their product is fantastic.

Dontronics has advice for spam control

See
<a class="jive-link-external" href="http://www.e-dotcom.com/spam_exp.php" target="_newWindow">http://www.e-dotcom.com/spam_exp.php</a>

Describes an e-mail strategy that sidesteps the typical spam-bot. Keep your primary account secret, and only work from extra accounts that you periodically rename and number. Any mail that goes to the old address is answered with a reply that tells the sender how to properly send to the new address.

If everyone followed the links to the phishers and give them bogus credit info, would it overload their search tools?

A path to the promised land

True, no single technology or legislature provides a solution. But, there are technologies that help end users mitigate the problem. Thus with incremental advances in the right direction we can reach the promised land of little spam and no phishing.

Spam is more difficult to resolve of the two evils since different people have different needs. Take for example an online newspaper that advertises the email address of the author at the header of the story. No doubt that email was harvested long ago. They could use a form (like the one I am using to submit this story) for better protection. People who sign up to web sites and give out their email addresses, trusting those sites, can mitigate the anticipated spam problem by using disposable email addresses so that they will provide a different address to each site they sign up with. There are tools on the market that can help them do so automatically.

As for phishing, anyone suggesting that people be careful when they fill out online forms, did not experience a phishing scam first hand - it can be quite misleading. Phishing is going to be worse before it gets better. The good news is that phishing is about trying to disrupt a one to one relationship between a web site and one of its users. The technology to fight this disruption is here by way of secure login, but it will take time before people understand that the cost (both in monetary and time resources) is justified.
For now again, there are tools that can mitigate phishing risks by automatically alerting people if they detect that they submit personal information to a suspicious web site.

[Ubber geek]

incremental advances

<a class="jive-link-external" href="http://www.analogstereo.com/saab_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/saab_owners_manual.htm</a>

There is no silver, but ...

I read Mr. Cooper's comment with interest.

The American solution as enshrined in the CAN SPAM Act of 2003 is to prohibit fraudulent behaviour involving commercial and transactional e-mail.

This is fine as far as it goes. But, the problem has become worse. One has to ask why?

* The law does not contain a clear prohibition against sending unsolicited commercial email.

True, the sending of commercial email without affirmative consent violates the acceptable use policies of most Internet access services.

The Federal Regulators Are Coming To Town
<a class="jive-link-external" href="http://www.learnsteps4profit.com/antispamfr.html" target="_newWindow">http://www.learnsteps4profit.com/antispamfr.html</a>

However, with the publication in April by the FTC of the guide titled "The CAN-SPAM Act: Requirements for Commercial Emailers," which in essence is a blue print for sending unsolicited bulk commercial email, one has to ask, is this what people wanted?

Requirements for Commercial Emailers
<a class="jive-link-external" href="http://www.learnsteps4profit.com/cer.html" target="_newWindow">http://www.learnsteps4profit.com/cer.html</a>

(I argue in a side note on this page, that it remains illegal to send UCE, but ...)

* Criminals know the vulnerabilities and that the enforcement agencies are under-funded.

This is self evident. We know who the bad guys are, but despite ongoing enforcements, including operation "slam spam" we continue to "drown in the stuff."

Register of Known Spam Operations
<a class="jive-link-external" href="http://www.spamhaus.org/rokso/index.lasso" target="_newWindow">http://www.spamhaus.org/rokso/index.lasso</a>

* Email Authentication will not stop unsolicited bulk email. At the same time, authentication and accreditation (reputation) does hold out the possibility of making life easier for legitimate marketers, although a great deal of work remains to get it right.

Who Pays And Surviving The Email Transition
<a class="jive-link-external" href="http://www.learnsteps4profit.com/emwp.html" target="_newWindow">http://www.learnsteps4profit.com/emwp.html</a>

Unfortunately, none of the email authentication proposals presently on the table are ready for prime time.

Two of the IP/Domain based proposals, Sender Policy Framework (SPF) and Microsoft's Purported Responsible Address proposal (SID) have not been the subject of a focused technical review by an outside panel of experts as called by the Internet Engineering Security Group after closing MARID.

The other IP/Domain based proposal, Client SMTP Validation (CSV) may be too narrow in scope.

Further, Microsoft's draft patent license continues to divide the industry.

For The Record, Will Microsoft Own Email?
<a class="jive-link-external" href="http://www.learnsteps4profit.com/wme.html" target="_newWindow">http://www.learnsteps4profit.com/wme.html</a>

What Does Microsoft Have To Hide?
<a class="jive-link-external" href="http://www.learnsteps4profit.com/let.html" target="_newWindow">http://www.learnsteps4profit.com/let.html</a>

The light weight cryptographic approaches, including Bounce Address Tag Validation (BATV), DomainKeys (DK) and Identified Internet Mail (IIM) need work and field testing.

So, is there hope? Or are we destined to see email go the way of the dodo bird?

I believe the short answer is yes. But, a couple of things need to happen:

* The Direct Marketing Association needs to change its stance and support permission based email marketing.

As long as the DMA continues to push the view that the right to send unsolicited commercial email trumps the property rights of network providers and the individual right to privacy we are destined for problems.

* Congress needs to amend the federal legislation to prohibit unsolicited commercial email, adopting the Australian approach, while making it easier for federal prosecutors and the regulatory agencies to enforce the prohibitions against fraudulent online behaviour.

* Once this happens, industry needs to come up with a set of best practices and a mechanism for keeping these standards up to date.

* Ongoing efforts are required to share information within industry and between the private sector and the regulatory agencies.

* The proponents of the various email authentication proposals have a great deal of ego and pride vested in their respective solutions.

This is understandable. A great deal of work has gone into the effort.

Besides, the fight against online abuse is "big business."

But, the various proponents need to take a step back and stop saying, we can stamp out spam.

The reality is that online fraud and forgery is a fact of life. Yes, we need to bring the situation under control. However, it is important to be honest in our assessments.

In particular, as to SPF, SID and CSV (the IP/Domain based proposals), we need:

* A focused technical review of SPF and SID to ensure these proposals do not contain any deleterious mechanisms, before any wide scale testing can proceed forward.

* An admission that the proposals are complex for the average person. To allow for wide spread implementation, the proposals have to brought down to the level of the average online business person.

* Large scale dry run tests are required, with the results being honestly evaluated before people run and jump and say, this is the way forward.

As to the consumer:

* Continued consumer education. The average Internet user has to become much more savvy about how to protect themselves. Hey, it is a big bad world out there and people need to take precautions.

* Before a software product comes onto the consumer market it has to be thoroughly tested. It is no longer acceptable to unleash a product which has known security flaws.

John Glube
Toronto, Canada

Cross Analysis is the way to go...

There is no one way to stop spam, viruses and phishing attacks. In fact, there are lots of different technniques -- and using them together can provide 98%+ effectiveness with no false positives. MailFrontier's unique cross analysis technology provides exactly that.

<a class="jive-link-external" href="http://www.mailfrontier.com/products/gs_spam.jsp" target="_newWindow">http://www.mailfrontier.com/products/gs_spam.jsp</a>

(For the record, I do work for MailFrontier, but in the last 2 years I have not seen another technology that so consistently delivers instant and seamless value. After reading the Cooper's despair about the subject, I needed to point out there IS a solution to these problems.)

Must consider legitimate E-Marketing as we

I agree that spam is a huge problem but one thing we must consider when we pass legislation
and that is the legitimate E-Marketer.Not everything is spam.I am an E-Marketer but I only email people who have asked not once but 2 times
for my info. Much like I opted into C/net to even be able to post this comment right now. I gave C/net permission to send me the news by email. The problem with spam filtration systems is that they have way to many false positives and filter out legitimate wanted email. The other problem is people call all email including opted in emails as well, SPAM! People need to realize that when they fill out a survey online they are also opting into their mailing list and will be receiving offers from that company.People need to read what they are filling out online.It amazes me that people will opt into a list not once but 2 times and then when you send them the requested info they say you are spamming. So surfers remember when you fill out that survey online you gave permission to someone to email you.Dont be shocked when they send you the info and start calling it spam. By the way, its reported on the news to not use the unsubscribe links of emails to opt out because it tells the spammers your email address is live. This might be true in some cases its not in all cases.
If someone wants off of my list the only way I would know is if they use my unsubscribe link to get off my mailing list. There are tons and tons of legitimate E-marketers who do honor all unsubscribe requests and operate within the law. I personally think that most of what people call spam isnt really spam. I think that they have at onetime opted into a list and given permission
to receive emails. Then time goes by and they forget and now they cry spam. I know that I have been wrongly accused of spamming as all legitimate E-marketers have but I was able to quickly proove that they had opted into my list. So dont cry foul if you fill out something online and you begin receiving offers. To add insult you have the so- called experts telling you to not unsubscribe! I ask who is promoting spam now? How can you get off a mailing list if you are being told not to use the unsubscribe link. Let me tell you, if a spammer wants to know if your address is live there are far better and easier ways to tell than to use an unsubscribe link to check if your email address is live.

Scott
Fla.

[Ubber geek]

problem with spam

<a class="jive-link-external" href="http://www.analogstereo.com/saab_9-3_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/saab_9-3_owners_manual.htm</a>